Full Disclosure mailing list archives
Re: iDEFENSE Security Advisory 08.09.05: AWStats ShowInfoURL Remote Command Execution Vulnerability
From: "Laurent Destailleur (Eldy)" <eldy () users sourceforge net>
Date: Fri, 12 Aug 2005 00:22:59 +0200
Martin Pitt wrote:
The eval function still exists, however parameters inside has been sanitized, this explain the known exploits does not works any more now. However, may be there is still a way to crack this (despite sanitizing) but i can't "see" how for the moment. To be sure, i decided to completely remove the "eval" function with 6.5 that is in beta but i consider 6.4 safe (until a way to hack the sanitizing is found).Hi Laurent, hi iDEFENSE!
iDEFENSE Labs [2005-08-09 12:24 -0400]:Shown as follows, the $url parameter contains unfiltered user-supplied data that is used in a call to the Perl routine eval() on lines 4841 and 4842 of awstats.pl (version 6.4):my $function="ShowInfoURL_$pluginname('$url')"; eval("$function");Thanks for spotting this. Also, please note that you correctly state that this vulnerable code is from 6.4iDEFENSE Labs has confirmed the existence of this vulnerability in AWStats 6.3. All earlier versions are suspected vulnerable. AWStats 6.4 has been released since the initial research on this vulnerability. AWStats 6.4 has replaced all eval() statements, and has mitigated the exposure to this vulnerability.6.4 still contains loads of eval() statements, and still seems vulnerable against this flaw, since the quoted code hasn't changed at all.This vulnerability has been addressed with the release of AWStats 6.4.As far as I can see, it is not yet fixed even in upstream CVS in awstats.pl. http://cvs.sourceforge.net/viewcvs.py/awstats/awstats/wwwroot/cgi-bin/awstats.pl So am I totally confused and somehow this was fixed in a different place (although I can't see how)? Or is this not yet fixed at all? Thanks, Martin
-- Laurent Destailleur. --------------------------------------------------------------- EMail: eldy () users sourceforge net Instant messenger: ICQ=89306207, Jabber=Eldy Web: http://www.destailleur.fr AWStats: http://awstats.sourceforge.net CVSChangeLogBuilder: http://cvschangelogb.sourceforge.net AWBot: http://awbot.sourceforge.net Dolibarr: http//dolibarr.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- iDEFENSE Security Advisory 08.09.05: AWStats ShowInfoURL Remote Command Execution Vulnerability iDEFENSE Labs (Aug 09)
- Re: iDEFENSE Security Advisory 08.09.05: AWStats ShowInfoURL Remote Command Execution Vulnerability Martin Pitt (Aug 11)
- Re: iDEFENSE Security Advisory 08.09.05: AWStats ShowInfoURL Remote Command Execution Vulnerability Laurent Destailleur (Eldy) (Aug 11)
- Re: iDEFENSE Security Advisory 08.09.05: AWStats ShowInfoURL Remote Command Execution Vulnerability Martin Pitt (Aug 11)